Most web applications or websites require a user to interact with it multiple times to complete a business transaction. For example, when a user shops in Amazon or Flipkart, the user will select one item at a time by clicking on buttons or hyperlinks and filling some text fields to specify the payment details. The server will process this data and may show another page.
A sequence of related HTTP requests between a web browser and a web application for accomplishing a single business transaction is called a session. All data specified by the user in a session is known as session data.
Generally the session data is private and must be protected from other users. A session generally begins when a user visits a web site for the first time and ends when the user closes the browser. Since the HTTP protocol has no memory, web applications have to use special mechanisms to securely maintain the user session data.
Cookies are small text files which contain data stored in name, value pairs. A web application can generate multiple cookies, set their life span (for how much time the cookie must be alive) and send them back to the web browser as part of the response.
If cookies are allowed, the web browser stores the cookies on its hosting computer. When an HTTP request is sent from a web browser from a computer for the second time, the cookies are also sent as a part of the request.
Cookies are the simplest approach to maintain session data as the web server doesn’t need to commit any resources for storing the session data. This is the most scalable approach to store session data for a large number of users. The downfall of cookie is, it is not secure.
As the cookies are stored on the client’s computer, they might be accessed by another third party. Also when the cookies are being sent between the web application and web browser a hacker might eavesdrop for the session data (stored in cookie) along the path.
Some web users who are concerned with the security implications of a cookie will disable the cookies in their browser. In such cases, another way to store session data is by using hidden fields.
A hidden field is a part of HTML form. As the name implies, a hidden field (input element whose type is set to hidden) and its data is not visible to a user.
The server will process the session data which will be available in the hidden fields. A hidden field can store only one value at a time. Both cookies and hidden fields are used in situations where only limited amount of data is to be stored.
A query string is a collection of name and value pair data items which are attached at the end of a URL. Sometimes query strings can also be used to maintain session data but only very limited amount of data can be maintained. As the data in the query string is visible to the user, this approach is very less suitable for storing secure session data.
Server-Side Session Objects
For improving the security of session data and avoiding wasted network bandwidth (like in case of hidden fields) for session data to move back and forth between a web browser and web server, most of the session data can be stored on the server by using session objects.
Every session object has a unique session ID for identifying a specific user. A session object is normally implemented as a hash table (lookup table) consisting of name, value pairs. To store the session ID, a cookie or a hidden field or a query string can be used.
Since this approach stores the session data on the server, it consumes most of the server resources (memory and processor) and is relatively harder to serve large number of clients concurrently.